Some of the most effective rootkits are (or include) kernel modules. By compiling all needed features into the kernel, and disabling modules entirely, you can block them.

This technique is usefull on servers where the hardware seldom changes. It is not reccommended for desktops which are likely to need to hotplug USB or FireWire devices, or mount a variety of filesystems from time to time.

I find building everything statically reduces the errors when trying to load a module/driver or messing with the modules.conf file... as most times, the module is already loaded with the features I need.

So what I do, is patch the kernel-2.6 w/ supermount and an orinoco hack for monitoring -- with the intent to keep the kernel as clean of patches as possible. I have also recently started to build ieee1394/firewire statically since this feature now supports hotplugging... no need to unload & load ieee1394 modules as almost all the bugs are worked out of hotplugging hdd's and cdrom drives.

The only thing I'm loading as a module is the evdev due to my wacom pad or synaptics touch pad ... and I forget why!

As a side note, I find that the o/s loads faster with a monolithic kernel versus modular. But load times for the kernel are slightly increased on the monolithic kernel. ... no biggy.

Prior to kernel-2.6, I was still loading allot of stuff as module (ie pcmcia/ieee1394/ide-scsi/scsi, ...)._________________Roger
http://rogerx.freeshell.org/

ok, i think compiling some drivers as module only make sense if you often change your hardware... the most desktop-system are "static" in that point..so building a monolith kernel would be the better choice.

On a notebook the situation is an other. I use Gentoo on a notebook, which i sometimes use in a docking, in several different networkenvironments, diverent monitors, printers, scanners and so on.. in this case, it is better to compile a lot drivers as modules, so they will only be loaded if the appropiated hardware is present... the "main"-drivers for the notebook itself surely as "compiled-in" for .

I hope this could help those, who are undecisive, if not, ok shame on me, this another useless post....

To be honest, I *try* to compile everything statically into the kernel (to avoid loading modules on startup as it does somewhat slow down the boot process & sometimes using modules can conflict (atleast in kernel-2.4 modules did)).

But the clincher on the laptops are that sometimes you need to patch the kernel drivers with either more up-to-date code or because the driver isn't in the kernel yet (ie wacom, nvidia, orinoco monitor patch, ...)

I tend to just compile all my usb printer/scanner drivers right in too. Unless you're worried about memory usage, laptops these days can have plenty of memory... granite, 512MB ain't exactly over doing it!

Again, pro's/cons of usb drivers as static/modules -- do you want to have the kernel fiddle with loading these during runtime and hope they load ok? ... or do you just want to plug in h/w and already have the driver up and waiting to run? Allot of pros/cons to consider -- And I still do not believe that there is one single "right way" of doing this (ie. the freedom of doing it your way.)

If I was running low on memory (which I do sometimes), I might use more modules. Another thing one has to consider is "just how much memory" is saved by doing so... sometimes the module "help" text does offer size info, but most times, it's either negligable or not listed.

... and then configure the device stealing the interrupt or ioport address to use a specific address. I'm going to guess you have your network card or other device as a module and having the pcmcia network device get first take at the pool of addresses is fixing the problem. No sweat though, as I do the same thing as you to resolve them as it is easier!

I had to compile something as module and set pcmcia init.d to a default rather then boot. The proper way for me would have been to exclude/include the address within the config file of pcmcia! _________________Roger
http://rogerx.freeshell.org/

There have been a couple of annoyances I've run into running monolithic servers. As someone pointed out, it is part of a set of tactics for making more secure systems, which is great, especially if you have static hardware and don't mind recompling to get new stuff.

The annoyances are:

1) entries in the system log like:

modprobe: FATAL: Could not load /lib/modules/2.6.7-gentoo-r11/modules.dep: No such file or directory

Somewhere, someone is calling modprobe, and I can't figure out who or why. They also show up during boot, and although /etc/init.d/modules is depended on all over the place (and listed in CRITICAL_SERVICES in /sbin/rc), it is smart enough to exit cleanly if it doesn't see /proc/modules, so I'm pretty sure it's not to blame.

2) sensors-detect and other misc programs barf and die if they can't load modules. I *could* try to configure sensors by hand, but I enjoy being somewhat sane, thank you.

Perhaps I just missed the "modules=no" param in /etc/rc.conf ^_^_________________This post more meaningful in a scalar context.

yes. some of the init.d services (ie hotplug may be a culprit also), where if everything is static/monolithic, then you will get false errors posted to the syslog about not being able to load a module. Usually, I tend to ignore these as it's obvious this gets down to providing a proper script to recognize the module is statically compiled. This does not affect run time.
ie: cat /proc/config.gz |gzip -dc

And yes, newer modules or experimental (buggy) modules may have a rougher time being statically linked. All modules seem to go through this phase where they need to be unloaded & reloaded due to bugs.

So, what I do, to try to stay completely monolithic, compile almost everything statically except for the few buggy ones.

yes. some of the init.d services (ie hotplug may be a culprit also), where if everything is static/monolithic, then you will get false errors posted to the syslog about not being able to load a module.

Interestingly, 'ps' seems to be a big culprit..._________________This post more meaningful in a scalar context.

Thanks cdunham, sorry for being so noob and thanks to you for being so nice with me. That error has gone, but i still have a problem with the intenet connection, now i will try on IRC channels and searching on google.

Don't know if this is the right place to post this question, but it struck me when reading the faq.

The TS of the faq says

Quote:

...and your Linux system will theoretically only load the driver that is appropriate for the hardware setup at the time.

Does this mean that, when I compile something as a module, I won't need to load it manually, but that the system will load it when it detects the hardware? IOW, when the hardware is detected, but support isn't built into the kernel the system will look for the appropriate module and when the module isn't compiled the hardware fails to work?